diff --git a/assets/rbac/main_attacher_binding.yaml b/assets/rbac/attacher_binding.yaml
similarity index 74%
rename from assets/rbac/main_attacher_binding.yaml
rename to assets/rbac/attacher_binding.yaml
index 3aabea1b..8104e8c6 100644
--- a/assets/rbac/main_attacher_binding.yaml
+++ b/assets/rbac/attacher_binding.yaml
@@ -1,12 +1,12 @@
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: openstack-cinder-csi-main-attacher-binding
+  name: openstack-cinder-csi-attacher-binding
 subjects:
   - kind: ServiceAccount
     name: openstack-cinder-csi-driver-controller-sa
     namespace: openshift-cluster-csi-drivers
 roleRef:
   kind: ClusterRole
-  name: openshift-csi-main-attacher-role
+  name: openstack-cinder-external-attacher-role
   apiGroup: rbac.authorization.k8s.io
diff --git a/assets/rbac/attacher_role.yaml b/assets/rbac/attacher_role.yaml
new file mode 100644
index 00000000..366c9385
--- /dev/null
+++ b/assets/rbac/attacher_role.yaml
@@ -0,0 +1,20 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: openstack-cinder-external-attacher-role
+rules:
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["csinodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["volumeattachments"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["volumeattachments/status"]
+    verbs: ["patch"]
diff --git a/assets/rbac/lease_leader_election_role.yaml b/assets/rbac/lease_leader_election_role.yaml
deleted file mode 100644
index 0791c7b0..00000000
--- a/assets/rbac/lease_leader_election_role.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-# Role for electing leader by the operator
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: openstack-cinder-csi-driver-lease-leader-election
-  namespace: openshift-cluster-csi-drivers
-rules:
-- apiGroups: ["coordination.k8s.io"]
-  resources: ["leases"]
-  verbs: ["get", "watch", "list", "delete", "update", "create"]
diff --git a/assets/rbac/lease_leader_election_rolebinding.yaml b/assets/rbac/lease_leader_election_rolebinding.yaml
deleted file mode 100644
index b48cb71c..00000000
--- a/assets/rbac/lease_leader_election_rolebinding.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-# Grant controller access to leases
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: openstack-cinder-csi-driver-lease-leader-election
-  namespace: openshift-cluster-csi-drivers
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: openstack-cinder-csi-driver-lease-leader-election
-subjects:
-- kind: ServiceAccount
-  name: openstack-cinder-csi-driver-controller-sa
-  namespace: openshift-cluster-csi-drivers
diff --git a/assets/rbac/main_snapshotter_binding.yaml b/assets/rbac/provisioner_binding.yaml
similarity index 73%
rename from assets/rbac/main_snapshotter_binding.yaml
rename to assets/rbac/provisioner_binding.yaml
index e0a5c06f..71388b76 100644
--- a/assets/rbac/main_snapshotter_binding.yaml
+++ b/assets/rbac/provisioner_binding.yaml
@@ -1,12 +1,12 @@
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: openstack-cinder-csi-main-snapshotter-binding
+  name: openstack-cinder-csi-provisioner-binding
 subjects:
   - kind: ServiceAccount
     name: openstack-cinder-csi-driver-controller-sa
     namespace: openshift-cluster-csi-drivers
 roleRef:
   kind: ClusterRole
-  name: openshift-csi-main-snapshotter-role
+  name: openstack-cinder-external-provisioner-role
   apiGroup: rbac.authorization.k8s.io
diff --git a/assets/rbac/provisioner_role.yaml b/assets/rbac/provisioner_role.yaml
new file mode 100644
index 00000000..b130c448
--- /dev/null
+++ b/assets/rbac/provisioner_role.yaml
@@ -0,0 +1,29 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: openstack-cinder-external-provisioner-role
+rules:
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshots"]
+    verbs: ["get", "list"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotcontents"]
+    verbs: ["get", "list"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["csinodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch"]
diff --git a/assets/rbac/main_resizer_binding.yaml b/assets/rbac/resizer_binding.yaml
similarity index 74%
rename from assets/rbac/main_resizer_binding.yaml
rename to assets/rbac/resizer_binding.yaml
index ef0f3fb9..9d0a9612 100644
--- a/assets/rbac/main_resizer_binding.yaml
+++ b/assets/rbac/resizer_binding.yaml
@@ -1,12 +1,12 @@
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: openstack-cinder-main-resizer-binding
+  name: openstack-cinder-csi-resizer-binding
 subjects:
   - kind: ServiceAccount
     name: openstack-cinder-csi-driver-controller-sa
     namespace: openshift-cluster-csi-drivers
 roleRef:
   kind: ClusterRole
-  name: openshift-csi-main-resizer-role
+  name: openstack-cinder-external-resizer-role
   apiGroup: rbac.authorization.k8s.io
diff --git a/assets/rbac/resizer_role.yaml b/assets/rbac/resizer_role.yaml
new file mode 100644
index 00000000..6c3c3126
--- /dev/null
+++ b/assets/rbac/resizer_role.yaml
@@ -0,0 +1,23 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: openstack-cinder-external-resizer-role
+rules:
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims/status"]
+    verbs: ["update", "patch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["list", "watch", "create", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch"]
diff --git a/assets/rbac/main_provisioner_binding.yaml b/assets/rbac/snapshotter_binding.yaml
similarity index 73%
rename from assets/rbac/main_provisioner_binding.yaml
rename to assets/rbac/snapshotter_binding.yaml
index e8f9e39f..3157a563 100644
--- a/assets/rbac/main_provisioner_binding.yaml
+++ b/assets/rbac/snapshotter_binding.yaml
@@ -1,12 +1,12 @@
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: openstack-cinder-csi-main-provisioner-binding
+  name: openstack-cinder-csi-snapshotter-binding
 subjects:
   - kind: ServiceAccount
     name: openstack-cinder-csi-driver-controller-sa
     namespace: openshift-cluster-csi-drivers
 roleRef:
   kind: ClusterRole
-  name: openshift-csi-main-provisioner-role
+  name: openstack-cinder-external-snapshotter-role
   apiGroup: rbac.authorization.k8s.io
diff --git a/assets/rbac/snapshotter_role.yaml b/assets/rbac/snapshotter_role.yaml
new file mode 100644
index 00000000..95712f24
--- /dev/null
+++ b/assets/rbac/snapshotter_role.yaml
@@ -0,0 +1,38 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: openstack-cinder-external-snapshotter-role
+rules:
+- apiGroups: [""]
+  resources: ["persistentvolumes"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources: ["persistentvolumeclaims"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["storage.k8s.io"]
+  resources: ["storageclasses"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["list", "watch", "create", "update", "patch"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list"]
+- apiGroups: ["snapshot.storage.k8s.io"]
+  resources: ["volumesnapshotclasses"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["snapshot.storage.k8s.io"]
+  resources: ["volumesnapshotcontents"]
+  verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+- apiGroups: ["snapshot.storage.k8s.io"]
+  resources: ["volumesnapshotcontents/status"]
+  verbs: ["update", "patch"]
+- apiGroups: ["snapshot.storage.k8s.io"]
+  resources: ["volumesnapshots"]
+  verbs: ["get", "list", "watch", "update"]
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["create", "list", "watch", "delete"]
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "watch", "list", "delete", "update", "create"]
diff --git a/assets/rbac/storageclass_reader_resizer_binding.yaml b/assets/rbac/storageclass_reader_resizer_binding.yaml
deleted file mode 100644
index b7241bb4..00000000
--- a/assets/rbac/storageclass_reader_resizer_binding.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: openstack-cinder-csi-storageclass-reader-resizer-binding
-subjects:
-  - kind: ServiceAccount
-    name: openstack-cinder-csi-driver-controller-sa
-    namespace: openshift-cluster-csi-drivers
-roleRef:
-  kind: ClusterRole
-  name: openshift-csi-resizer-storageclass-reader-role
-  apiGroup: rbac.authorization.k8s.io
diff --git a/assets/rbac/volumesnapshot_reader_provisioner_binding.yaml b/assets/rbac/volumesnapshot_reader_provisioner_binding.yaml
deleted file mode 100644
index 47765820..00000000
--- a/assets/rbac/volumesnapshot_reader_provisioner_binding.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: openstack-cinder-csi-volumesnapshot-reader-provisioner-binding
-subjects:
-  - kind: ServiceAccount
-    name: openstack-cinder-csi-driver-controller-sa
-    namespace: openshift-cluster-csi-drivers
-roleRef:
-  kind: ClusterRole
-  name: openshift-csi-provisioner-volumesnapshot-reader-role
-  apiGroup: rbac.authorization.k8s.io
diff --git a/pkg/operator/starter.go b/pkg/operator/starter.go
index b51cf8a4..8b246b7a 100644
--- a/pkg/operator/starter.go
+++ b/pkg/operator/starter.go
@@ -94,21 +94,21 @@ func RunOperator(ctx context.Context, controllerConfig *controllercmd.Controller
 			"node_sa.yaml",
 			"service.yaml",
 			"cabundle_cm.yaml",
-			"rbac/main_attacher_binding.yaml",
+			"rbac/attacher_role.yaml",
+			"rbac/attacher_binding.yaml",
 			"rbac/privileged_role.yaml",
 			"rbac/controller_privileged_binding.yaml",
 			"rbac/node_privileged_binding.yaml",
-			"rbac/main_provisioner_binding.yaml",
-			"rbac/volumesnapshot_reader_provisioner_binding.yaml",
-			"rbac/main_resizer_binding.yaml",
-			"rbac/storageclass_reader_resizer_binding.yaml",
-			"rbac/main_snapshotter_binding.yaml",
+			"rbac/provisioner_role.yaml",
+			"rbac/provisioner_binding.yaml",
+			"rbac/resizer_role.yaml",
+			"rbac/resizer_binding.yaml",
+			"rbac/snapshotter_role.yaml",
+			"rbac/snapshotter_binding.yaml",
 			"rbac/kube_rbac_proxy_role.yaml",
 			"rbac/kube_rbac_proxy_binding.yaml",
 			"rbac/prometheus_role.yaml",
 			"rbac/prometheus_rolebinding.yaml",
-			"rbac/lease_leader_election_role.yaml",
-			"rbac/lease_leader_election_rolebinding.yaml",
 		},
 	).WithConditionalStaticResourcesController(
 		"OpenStackCinderDriverConditionalStaticResourcesController",